Analysis
-
max time kernel
1801s -
max time network
1151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2023, 16:24
Static task
static1
Behavioral task
behavioral1
Sample
trlogdecode.exe
Resource
win10v2004-20230915-en
General
-
Target
trlogdecode.exe
-
Size
1.3MB
-
MD5
92b3276355c5fd88754ae44a2da48792
-
SHA1
4e41028f96fe413556d54211289561d472a578b5
-
SHA256
5558cbccff4ceb5ef15e7dccc016fc83d70e2875c564910a9f441ad756ef9671
-
SHA512
faf8a8f8911ad4d6a45772c2d6fca05c59627c36ab52fb35c219802ddb582667830e69ef2a290ee6858b874bd85e85c554f55b6f6fbc2c5edaf4928512edbfe9
-
SSDEEP
24576:OLQNJci7iM0HSAPC/erRKcbDlz/yB6/VjXc/i6frGS+5x1Opj3O/SrEZMl8VdkOZ:luPdPYIKSDt/GCpc/i0EQTO/fzkO2F9K
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/4732-4-0x0000000000B50000-0x0000000000EEC000-memory.dmp agile_net behavioral1/memory/4732-6-0x0000000000B50000-0x0000000000EEC000-memory.dmp agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe 4732 trlogdecode.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4732 trlogdecode.exe 4732 trlogdecode.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4732 trlogdecode.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD554ab56509d910c969b9c287fde10026d
SHA1b0929cd61e4428d57191b0c41ad60765236bed4c
SHA256998b95107a40360c441b4d1211f9f2e5ea9d004017baa383ffbe1a46cf08bfd0
SHA512b16722ac2662362d6ee37620f1ab2dcee05e0a54b49dbc8bb2d93561f35f2f09e4dd8f0bc6139d57a5424a7b76c62dafef62a7f355ea1963e7fcdce180cdd2e8
-
Filesize
136KB
MD554ab56509d910c969b9c287fde10026d
SHA1b0929cd61e4428d57191b0c41ad60765236bed4c
SHA256998b95107a40360c441b4d1211f9f2e5ea9d004017baa383ffbe1a46cf08bfd0
SHA512b16722ac2662362d6ee37620f1ab2dcee05e0a54b49dbc8bb2d93561f35f2f09e4dd8f0bc6139d57a5424a7b76c62dafef62a7f355ea1963e7fcdce180cdd2e8
-
Filesize
1KB
MD5c55e2ff93285f9933fc8021a29b14d9a
SHA1e364fc4b3b92c9d622c661bd784d9802671b4706
SHA2563a5a35788a20e0cd9bcb8f4ef394d23d59a89d75948f4be413a4dc6ec49a58d7
SHA512fe06b8778cc77391a168525bdfc655252ec3836a052bb0f0e16a9621c275dbf5c79ee8f2a80821d1a3c37427a49f43e60523fd8fbfa9e081f6392468125ff408
-
Filesize
1KB
MD5c55e2ff93285f9933fc8021a29b14d9a
SHA1e364fc4b3b92c9d622c661bd784d9802671b4706
SHA2563a5a35788a20e0cd9bcb8f4ef394d23d59a89d75948f4be413a4dc6ec49a58d7
SHA512fe06b8778cc77391a168525bdfc655252ec3836a052bb0f0e16a9621c275dbf5c79ee8f2a80821d1a3c37427a49f43e60523fd8fbfa9e081f6392468125ff408